C# 与 SQL 的连接

Question

[WebMethod] 
public void RegisterStudent(string Name, string Gender, int Marks)        
{            
    string connectionString = 
           "Data Source =SAJID-PC\\SQLEXPRESS;Initial Catalog=Design;Integrated Security=True";             
    SqlConnection con = new SqlConnection(connectionString);             
    con.Open();             
    String query = "INSERT INTO Students VALUES + ('" + Name + "', '" + Gender + "'," + Marks + ")";             
    SqlCommand sqlcom = new SqlCommand(query, con);
    sqlcom.ExecuteNonQuery();  
    con.Close();
}

调用该方法时出现此错误：

System.Data.SqlClient.SqlException：“+”附近的语法不正确。 在 System.Data.SqlClient.SqlConnection.OnError(SqlException 异常，Boolean breakConnection，Action1 wrapCloseInAction) 在 System.Data.SqlClient.SqlInternalConnection.OnError(SqlException 异常，Boolean breakConnection，Action1 wrapCloseInAction) 在 System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning (TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior) System.Data.SqlClient.SqlCommand.InternalExecuteNonQuery(TaskCompletionSource`1 completion, String methodName, Boolean sendToPipe, Int32 timeout, Boolean asyncWrite) at System.Data.SqlClient.SqlCommand.ExecuteNonQuery 的 String methodName、Boolean async、Int32 超时、Boolean asyncWrite) () 在 Assignment4Web.StudentService.RegisterStu dent(String Name, String Gender, Int32 Marks) in c:\\users\\sajid\\documents\\visual studio 2010\\Projects\\Assignment4Web\\Assignment4Web\\StudentService.asmx.cs:line 56

Answer 1

在Values之后删除不必要的+并在Marks周围添加' ，如下所示：

String query = "INSERT INTO Students VALUES ('" + Name + "', '" + Gender + "','" + Marks + "')";

尽管您应该始终使用parameterized queries来避免SQL Injection 。 像这样的东西：

SqlCommand sqlcom = new SqlCommand("INSERT INTO Students VALUES(@Name ,@Gender,@Marks");
cmd.Parameters.AddWithValue("@Name",Name);
cmd.Parameters.AddWithValue("@Gender",Gender);
cmd.Parameters.AddWithValue("@Marks",Marks);